CVE-2016-5399

Published: 22 July 2016

The bzread function in ext/bz2/bz2.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 allows remote attackers to cause a denial of service (out-of-bounds write) or execute arbitrary code via a crafted bz2 archive.

Priority

Medium

CVSS 3 base score: 7.8

Status

Package Release Status
php5
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr)
Released (5.5.9+dfsg-1ubuntu4.19)
Patches:
Upstream: http://git.php.net/?p=php-src.git;a=commit;h=f3feddb5b45b5abd93abb1a95044b7e099d51c84
php7.0
Launchpad, Ubuntu, Debian
Upstream
Released (7.0.9)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (7.0.8-0ubuntu0.16.04.2)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Patches:
Upstream: http://git.php.net/?p=php-src.git;a=commit;h=f3feddb5b45b5abd93abb1a95044b7e099d51c84

Notes

AuthorNote
seth-arnold
PHP position seems to suggest they'll fix bzread() to ensure
it conforms to the documented behaviour but they won't take any steps
to 'safe' an improper use of API by applications. Since the API was
apparently not honoured before I don't know how an application could be
expected to be correct.

References

Bugs